Giter Club home page Giter Club logo

Comments (6)

kbroughton avatar kbroughton commented on July 24, 2024

Possibly related to
hashicorp/terraform-provider-aws#4497

with TF_LOG=DEBUG

I can see that the policy is not being templated correctly

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
              "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::${var.cloudgoat_private_bucket_name}"
        },
        {
            "Effect": "Allow",
            "Principal": {
              "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::${var.cloudgoat_private_bucket_name}/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

DEBUG OUTPUT FOLLOWS

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                  "Service": "cloudtrail.amazonaws.com"
                },
                "Action": "s3:GetBucketAcl",
                "Resource": "arn:aws:s3:::"
            },
            {
                "Effect": "Allow",
                "Principal": {
                  "Service": "cloudtrail.amazonaws.com"
                },
                "Action": "s3:PutObject",
                "Resource": "arn:aws:s3:::/*",
                "Condition": {
                    "StringEquals": {
                        "s3:x-amz-acl": "bucket-owner-full-control"
                    }
                }
            }
        ]
    }

So it appears the default in variables.tf is not being used (although S3 bucket names have to be unique so ??)

variable "cloudgoat_private_bucket_name" {
  default = "cloudgoat-bucket-private"
}

If i create a terraform/terraform.tfvars and define
cloudgoat_private_bucket_name = "kesten-cloudgoat-private-bucket"
i get another strange error:

-/+ aws_s3_bucket.cloudgoat_private (new resource required)
      id:                            "terraform-20180802133524191600000001" => <computed> (forces new resource)
      acceleration_status:           "" => <computed>
      acl:                           "private" => "private"
      arn:                           "arn:aws:s3:::terraform-20180802133524191600000001" => <computed>
      bucket:                        "terraform-20180802133524191600000001" => "g6" (forces new resource)
      bucket_domain_name:            "terraform-20180802133524191600000001.s3.amazonaws.com" => <computed>
2018-08-02T08:46:19.904-0500 [DEBUG] plugin: plugin process exited: path=/Users/kbroughton/praetorian-tools/cloudgoat/terraform/.terraform/plugins/darwin_amd64/terraform-provider-aws_v1.29.0_x4
      bucket_regional_domain_name:   "terraform-20180802133524191600000001.s3.us-west-2.amazonaws.com" => <computed>
      force_destroy:                 "true" => "true"
      hosted_zone_id:                "Z3BJ6K6RIION7M" => <computed>
      policy:                        "" => "{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n              \"Service\": \"cloudtrail.amazonaws.com\"\n            },\n            \"Action\": \"s3:GetBucketAcl\",\n            \"Resource\": \"arn:aws:s3:::g6\"\n        },\n        {\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n              \"Service\": \"cloudtrail.amazonaws.com\"\n            },\n            \"Action\": \"s3:PutObject\",\n            \"Resource\": \"arn:aws:s3:::g6/*\",\n            \"Condition\": {\n                \"StringEquals\": {\n                    \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n                }\n            }\n        }\n    ]\n}\n"
      region:                        "us-west-2" => <computed>
      request_payer:                 "BucketOwner" => <computed>
      versioning.#:                  "1" => <computed>
      website_domain:                "" => <computed>
      website_endpoint:              "" => <computed>

so it looks like a random name was generated and my name gets mangled to something unexpected. Continuing to poke at it...

from cloudgoat.

kbroughton avatar kbroughton commented on July 24, 2024

Found the issue:
cloudgoat_private_bucket_name gets set in ./start.sh:

cloudgoat_private_bucket_name=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)

but:

$ cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1
tr: Illegal byte sequence

Replacing the /dev/urandom with one of the following works:
cloudgoat_private_bucket_name="$RANDOM-$RANDOM-$RANDOM-$RANDOM"
cloudgoat_private_bucket_name=$(python -c "import secrets; print(secrets.token_hex(16))")

Apply complete! Resources: 38 added, 0 changed, 0 destroyed.

from cloudgoat.

SpenGietz avatar SpenGietz commented on July 24, 2024

Thanks for looking into this! Very helpful.

Looks like Python2 doesn't have the secrets library, so I'm thinking $RANDOM is the way to go here. I don't have a Mac, but had someone test the same command and they got the same error you did. I'll comment back here when I push up a fix

from cloudgoat.

SpenGietz avatar SpenGietz commented on July 24, 2024

Just pushed a branch and opened a PR. Would you mind testing it out before i merge it into master?

#12

from cloudgoat.

MiloATH avatar MiloATH commented on July 24, 2024

Can confirm that this branch works on MacOS

from cloudgoat.

SpenGietz avatar SpenGietz commented on July 24, 2024

Just merged into master, thanks @MiloATH!

from cloudgoat.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.